Getting Data In

events not deleting with | delete

tawollen
Path Finder

I want to clear out information from a source that had bad information indexed, so I am trying to do a sourcetype=source | delete.

I do have can_delete role, the search deleted about 300,000 events, but there are 43 errors.

splunk_server index deleted errors
1 splunkserver ALL 304232 43
2 splunkserver main 304232

When I try the normal search, I still get the 43 events showing up. Re-running the delete command just comes back with the same 43 errors.

unfortunately, I can't clean the index that has this data. I still need some data from another source in that index.

If I try to drill down into the 43 errors, Splunk opens a new window with a flashtimeline and no search.

Tags (1)
1 Solution

tawollen
Path Finder

We just left the data in the index and for future tests where we will be deleting data on a regular basis have created a 'test' index. With the test index we can run "./splunk clean eventdata test" that will clean that index completely so we can re-test an import. Having to do a csv export/import is more effort than we wanted to do. I am still not sure why splunk has issues causing errors when deleting (hiding) some data from an index with the | delete.

View solution in original post

0 Karma

tawollen
Path Finder

We just left the data in the index and for future tests where we will be deleting data on a regular basis have created a 'test' index. With the test index we can run "./splunk clean eventdata test" that will clean that index completely so we can re-test an import. Having to do a csv export/import is more effort than we wanted to do. I am still not sure why splunk has issues causing errors when deleting (hiding) some data from an index with the | delete.

0 Karma

Lowell
Super Champion

You can use the exporttool and importtool command line utilities to dump and recreate your index's bucket(s).

This approach lets you export an entire bucket to a single CSV file. You can then use a small little csv-processing script (or if your careful, a text editor) to strip out the offending lines before you re-create your bucket.

The process goes something like this:

cd $SPLUNK_HOME/var/lib/db/your_index
exportool db_xxx_xxx_id export_id.csv -csv
# Edit your export and remove unwanted events
vim export_id.csv
# ...
# Rebuild your bucket
importtool db_xxx_xxx_id.NEW export.csv
mv db_xxx_xxx_id db_xxx_xxx_id.OLD
mv db_xxx_xxx_id.NEW db_xxx_xxx_id
rm export_id.csv

WARNING: This is a potentially dangerous operation, you should backup and understand buckets and have a general idea of how indexing works before you try anything like this. You could shoot yourself in the foot. You have been warned.

BTW, if you are using event/block signing or anything like that, then you shouldn't try to attempt anything like this.

Also see:

Genti
Splunk Employee
Splunk Employee

Since you "desperately" want the data out of the index then you should be able to put some extra work and try this:
Export the data that you care for, csv format. Watch out for the size (rows) of the csv file.
Once you are sure you have all your data that you care for, roll the index and back up your data. Then, clean all the data for the index using the clean command for this index.

Then use inputcsv to get the data back into this clean index. Note again, only 10k data will be imported at once, so you will need to use a little trick to get the data in again.
see THIS for more info on importing large CSV files.

0 Karma

Genti
Splunk Employee
Splunk Employee

yeap, inputcsv editing the answer

0 Karma

Lowell
Super Champion

What's importcsv? There's the search command inputcsv, and the command line tool importtool. Do you mean one of those?

0 Karma

tawollen
Path Finder

Interesting thing I found is that I had tried sending these events in as different sourcetypes, so the events (300,000) have been in Splunk as both "Type1" and "Type2".. When I do the | delete on Type2 I get the same errors. It turns out it looks like it the same 43 events will not delete out of either sourcetype.

This was a CSV file that was indexed, and the data source CSV file doesn't look strange for those lines that won't delete.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...